Enforce MFA second factor (Duo) for SP with IDP side config?

Losen, Stephen C (scl) scl at virginia.edu
Thu Nov 15 15:17:52 EST 2018

Hi folks,

I have configured our IDP to enforce MFA second factor (Duo) if the SP requests an auth context class (ACC) that can only be satisfied by Duo. I believe this is the normal way to handle this.

However, I fear I am dealing with a SP (Workday) that does not support specifying an ACC in the auth request.  So that means I may need to set this up on the IDP side.  I can edit the SP metadata, but I don't think ACC is something that I can specify there (please tell me I'm wrong).  Can ACC be specified in relying-party.xml?

I know I can do this with a context-check-intercept or else with an attribute release filter. 

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu    434-924-0640

More information about the users mailing list